Em 13-07-2015 14:42, Michael McConville escreveu:
Part of it was that you need inbound IPv6 ICMP and UDP ports open. This
seems like a fundamentally bad idea because it prevents client machines
from just blocking all incoming connections (something I've done since
starting with OpenBSD).
The client doesn't need inbound UDP ports to be open. The OpenBSD
firewall do, if you're using DHCPv6 to configure it. If using SLAAC,
only RS and RA icmp messages are needed. Since stateless configuration
is done using multicast (ff02) and link-local (fe80) addresses, no need
to worry. You can even make a rule allowing only your CPE link-local, if
you want.
Also, DHCPv4 seems to do fine without incoming
connections. Maybe there's a good reason for them, though.
DHCPv4 needs port 68 udp to be open. The difference is that many
firewall implementations (not pf) have this allowed in their default
configuration.
Here's the guide that solved my pf woes:
http://pivotallabs.com/configuring-freebsd-9-1-as-an-ipv6-dhcp-client/
I was considering trying to develop a tool to make it a smoother
process. However, it increasingly seems like a consequence of DHCPv6
being unnecessarily complex.
You don't need DHCPv6. I use stateless both for my firewall getting it's
IPv6 address from the CPE and for it advertising the prefix on the
internal network. Most modern systems can configure the dns using
stateless configuration. So only a subset of ICMPv6 messages need to be
allowed both on the router and clients.
Cheers,
Giancarlo Razzolini
